president and chief technology of -
cer of IT infrastructure solutions for
CSC s North American Public Sector.
One of the biggest challenges
remains the lack of industry stan-
dards regarding what deliverables
should be included in a DRaaS pack-
age. "Because the space is still very
new, I wouldn t take anything for
granted when you are negotiating
SLAs," Dines said.
Another potential stumbling block
is the need to sort out complex inter-
connections in existing IT systems
before duplicating them in the cloud.
"Sometimes it s not clear what all the
interdependencies are for applica-
tions you ve been running for the
last 20 years," Riddle said.
The fundamentals
What should you consider before
trusting the cloud for disaster recov-
ery? The rst step is deciding on the
right cloud model --- public, private
or a hybrid of the two. Moving to
a public cloud service is best for
agencies that have relatively homo-
geneous infrastructures --- namely,
virtualized x86 servers rather than a
mix of Unix and mainframe servers,
Knox said.
IT organizations with mixed plat-
forms should consider a private or
hybrid cloud strategy instead. "In
larger enterprises, people aren t ask-
ing, How am I going to recover my
mainframe in the cloud? " he said.
"The more heterogeneous the envi-
ronment, the more complex [disaster
recovery] gets because of different
types of hardware and platforms,
recovery times, recovery points, and
tiers of applications."
Technological diversity is not the
only consideration. Agencies should
also carefully evaluate the kind of
data they might be sending to the
cloud, Khanna said. For security
reasons, mission-critical applica-
tions or those that hold classi ed
data should remain in a private cloud
or a shared government cloud. Less
critical resources could be protected
by a public DRaaS solution.
"Not all applications and data
are classi ed or top secret --- even
in intelligence agencies and the
[Defense Department]," Khanna said.
"So they absolutely could go into a
public cloud."
Other security considerations stem
from how data will be protected as it
is being transferred to and from the
recovery site, and while it is housed
in the cloud. Encryption and two-
factor access controls are a must,
he said.
Khanna also said agencies should
decide what RTOs each application
requires and let that guide deploy-
ment decisions. "If I go to a public
cloud, I may be riding on a public
infrastructure and whatever SLA I
can negotiate," he said. "So I may get
better RTOs from a private cloud."
The hurdles
Planning and a needs analysis alone
won t guarantee success, experts say.
IT managers should also prepare for
some common challenges associated
with DRaaS.
Fees can be a shock if they re not
clearly de ned during the SLA nego-
tiation process. Analysts said many
DRaaS solutions charge a basic
monthly fee to cover daily data rep-
lications and the cloud resources
necessary to prepare for a disaster.
But agencies should also be prepared
for additional, so-called declaration
fees, the costs that kick in when a
customer "declares" that a crisis
is unfolding and recovery mode is
launched. Declaration fees might be
levied for each day the agency is in
recovery mode.
Other pricing confusion comes
about because some service pro-
viders use their own models rather
than an industry-accepted standard.
For example, one provider might set
prices according to the number of
ExecTe c h
virtual machines being protected,
while another might use the num-
ber of processors as the benchmark.
"It s been hard to make apples-to-
apples comparisons," Knox said.
Fortunately, there are signs that
the situation is changing. A recent
industry trend is to base pricing on
a combination of connection costs,
memory, disk space and the number
of virtual machines. "We are starting
to see some standardization around
those four core areas for pricing,"
Knox said.
Another potential snag: Cloud pro-
viders frequently oversubscribe their
services by signing up more custom-
ers than can be accommodated if
disaster strikes them all at the same
time. That approach is not inherent-
ly bad, Dines said, because it helps
bring down subscription costs. But
agencies should question a potential
service provider about how it will
keep from becoming overwhelmed.
"I would ask what safeguards they
have put in place to make sure that
there will never be resource con icts
at time of declaration," she said.
"That might be as simple as mak-
ing sure that they ve got customers
from a wide geographic range so it s
unlikely that they d all be declaring
at the same time."
Finally, agencies should avoid the
temptation to view DRaaS as a set-
it-and-forget solution.
"I ve met organizations that say,
I m sending DR to the cloud; I m
not going to think about it again, "
Dines said. "I ve seen organizations
lose focus because they ve moved DR
to the cloud."
But even with a cloud solution,
agencies must continue to perform
all the associated duties that go
along with a disaster recovery pro-
gram, including conducting business
impact assessments, risk analyses
and tests with internal staff.
Some vegetables you just can t
avoid eating. ■
30 October 30, 2012 FCW.COM